Mageia Bugzilla – Bug 8291
claws-mail-plugins new security issue CVE-2012-5527
Last modified: 2013-01-18 01:38:26 CET
The flaw is in the vCalendar plugin and was fixed upstream in November. It looks like it was fixed in 3.9.0, but I'm not 100% sure. If so, it would only impact Mageia 2. It looks to be a pretty low impact/severity issue, so we could possibly just check a patch into SVN and not issue an update right away.
The RedHat bug has some good references:
It impacts cauldron as well. I just pushed 3.9.0-2 with the upstream patch to fix this in cauldron.
I also pushed an update to updates_testing for mga2 but I messed up the release tag (2.1 instead of 1.2). I will ask sysadm to remove the packages.
claws-mail-plugins has been removed from updates_testing, so you may fix the release tag and resubmit.
Also, I just noticed that the name of the PDF viewer plugin doesn't quite match in mga2 and Cauldron. In mga2 it has an underscore, which seems to be correct and consistent with the way the other subpackages are named, but in Cauldron it doesn't have the underscore. I added it in mga2 when I had to update to 3.8.1 for a previous security update:
I recommend renaming it in the Cauldron package. If you don't want to, it needs to obsolete the mga2 one.
Here is a proposal of advisory :
Updated claws-mail-plugins packages fix security vulnerabilities:
A security flaw was found in the way vCalendar plug-in of Claws Mail displayed user credential information in the system tray display when using https scheme. A local attacker could use this flaw to obtain user credentials (username and password) used for connection to remote point. (CVE-2012-5527)
Updated packages in core/updates_testing:
Regarding, pdf_viewer, I just pushed a package with the renaming, it was an error.
I just pushed an update for claws-mail-plugins in mga2 updates_testing (see above for the advisory).
I don't have a way to easily test the update as it need a vcal server with https auth.
When you use this kind of server, when fetching, the systray icon should not display the credentials of the account (see upstream bug report for a screenshot).
thanks & regards.
Patch checked into Mageia 1 SVN.
Testing complete mga2 32
Just loaded as many of the plugins as I could into claws and configured a random webcal calendar from the internet.
No errors after updating and vcalendar still works ok.
Testing mga2 64
Newmail plugin is not functional it gives an error when installed.
Error: No such file or directory
Plugin is not functional.
thanks for the testing.
After investigation, Newmail plugin needs an existing Mail directory inside $HOME and doesn't create one if it isn't present before loading. I will raise a bug upstream.
and here it is
I've created a new mageia bug for it, bug 8725, it was the same in the version in updates.
It won't hold up this update.
Other than newmail everything seems fine so testing complete mga2 64
Advisory & srpm in comment 3
Could sysadmin please push from core/updates_testing to core/updates